In order to operate, Prisma Cloud requires a number of connections between components. The following diagram shows the ports and connections required. To fit the needs of various customer environments and deployments, all ports are configurable at install time (for more information, see the inline comments in twistlock.cfg).
Customers typically place Console in a management security zone or other segregated part of their network. Some customers might also want to place a firewall between Console and Defender. Prisma Cloud can interoperate with firewalls wherever necessary, provided the required TCP ports are open.
When using Prisma Cloud Compute Saas Console customers will need to provide connectivity from their deployed Defenders to the SaaS Console through the firewalls on port 443.
When Defender DaemonSets are deployed with Istio monitoring enabled, Prisma Cloud can discover the service mesh and show you the RBAC capabilities for each service (e.g. this pod can read service X using REST/grpc on the following endpoints). Services integrated with Istio display the Istio logo.
A common configuration involves placing a load balancer in front of Console for access to the GUI and the API. Prisma Cloud can interoperate with traditional hardware or software load balancers, as well as load balancers from all major cloud service providers.
When using Prisma Cloud Compute and a SaaS Console managed by Prisma, using a load balancer is not suggested.